Root LG Tribute Stock ZV5 Deodexed & Unmodified [4.4.2]

[SuperR]

I always use notepad++. I deodexed zv6 and finally got it to install but I get hit with an LG security error screen that bootloops. I checked my scripts, they're perfect. Tried the binary from the zv5 still the security error, and tried binary from zv6, same issue. I think something may have been patched to prevent a custom Rom from being installed. I know twrp is a bumped image, so I'm wondering if we need an oem unlock... I sure hope not. No boot.img we have will work either. I'm still digging into it, but I'm coming up empty handed right now.

Side note; I am stuck using Windows 7 to do all of this, so I'm keeping my fingers crossed and hoping that might be the issue.

You just need to bump the boot.img in the ROM

edit: if you post a link to the zv6 boot.img, I can do it for you

 

[modhatter6811]

You just need to bump the boot.img in the ROM

edit: if you post a link to the zv6 boot.img, I can do it for you

You got it!
Edit; Found this too. Invisiblek says open bump could be built into twrp since the boot.img needs to be extracted before installing it. It should work for just about any LG device as far as I can tell. Commit is here.
https://github.com/invisiblek/andro...2a0fb#diff-39581f8c008367cb2f7df68d1c3a263eR4

Xda thread is here.
http://forum.xda-developers.com/lg-g2/orig-development/tool-bump-sign-boot-images-t2950595

 

[HasH_BrowN]

You just need to bump the boot.img in the ROM

edit: if you post a link to the zv6 boot.img, I can do it for you

Can the zv5 boot.img be flashed after having the zv6 update radio.img break connectivity? Or is there a different way to skin this cat?

 

[modhatter6811]

Can the zv5 boot.img be flashed after having the zv6 update radio.img break connectivity? Or is there a different way to skin this cat?

I can't say for sure, however I think you're right about that. Data breaking was the first thing that came to mind. Bumping the boot.img should do the trick. I can't wait to test it and find out.

 

[HasH_BrowN]

I can't say for sure, however I think you're right about that. Data breaking was the first thing that came to mind. Bumping the boot.img should do the trick. I can't wait to test it and find out.

I was thinking that it would have to be bumped, but seeing as I don't have Linux.....

 

[SuperR]

Here you go

Bumped, added init.d support and insecure boot.img

 

[modhatter6811]

Here you go

Bumped, added init.d support and insecure boot.img

Will test immediately. If it works I'll be uploading an extremely debloated stock Rom.

 

[modhatter6811]

Will test immediately. If it works I'll be uploading an extremely debloated stock Rom.

Well, I tried it. Unfortunately I'm still getting the "LG Security Error" bootloop. I don't know what to do at this point. Something must have changed drastically from ZV5...

 

[SuperR]

Well, I tried it. Unfortunately I'm still getting the "LG Security Error" bootloop. I don't know what to do at this point. Something must have changed drastically from ZV5...

They may have patched the bump hack. It is/was only a matter of time.

 

[modhatter6811]

They may have patched the bump hack. It is/was only a matter of time.

Do you think flashing it from a ZV5 build would work?

 

[SuperR]

Do you think flashing it from a ZV5 build would work?

I am not sure what you mean

 

[modhatter6811]

I am not sure what you mean

I was wondering if the fact that I'm flashing from a ZV6 build had anything to do with it. I noticed some things about it. If I wipe everything in TWRP then flash it, it gives a binary error, followed by "some symlinks failed". If I wipe nothing, twrp will format everything and install it correctly.

 

[SuperR]

I was wondering if the fact that I'm flashing from a ZV6 build had anything to do with it. I noticed some things about it. If I wipe everything in TWRP then flash it, it gives a binary error, followed by "some symlinks failed". If I wipe nothing, twrp will format everything and install it correctly.

It really depends on what the update contains. If it updates the bootloader, it is possible you could flash a zv6 rom without the new bootloader and it would work fine.

 

[modhatter6811]

It really depends on what the update contains. If it updates the bootloader, it is possible you could flash a zv6 rom without the new bootloader and it would work fine.

I pulled apart the bumped boot image, I found a reference to secure boot located in init.lge, which points to the "wallpaper" file located in sbin. I have a feeling a small change can be made somewhere to get it working. I'll keep digging. Its not over yet.

 

[SuperR]

I pulled apart the bumped boot image, I found a reference to secure boot located in init.lge, which points to the "wallpaper" file located in sbin. I have a feeling a small change can be made somewhere to get it working. I'll keep digging. Its not over yet.

Try tossing this wallpaper file in /ramdisk/sbin in place of the existing one. I changed all the secure stuff to the opposite. So theoretically if the boot.img is signed it will fail, and proceed with boot if it is not signed which is the case here. Let me know how it goes. If you want me to build a new img for you to test let me know

edit: I should say I doubt it will work lol

 

[HasH_BrowN]

Okay down to the nitty gritty.

• With the zv6 update in place, will reinstalling the zv5 boot.img fix data?
• If not, I know what to do. If it can, will the radio.img be deleted?
• If radio.img doesnt get deleted, how can i delete it manually?
• And if not, will it cause issues or corruption of the boot.img?
• Does the boot.img need to be bumped?

Excuse me if the questions seem ignorant and lackadaisical, but there is confusion amoungst the masses. The more we know about how to overcome the issues that arose from this update, the happier we all will be.

 

[modhatter6811]

Try tossing this wallpaper file in /ramdisk/sbin in place of the existing one. I changed all the secure stuff to the opposite. So theoretically if the boot.img is signed it will fail, and proceed with boot if it is not signed which is the case here. Let me know how it goes. If you want me to build a new img for you to test let me know

edit: I should say I doubt it will work lol

This ought to be fun. I also found in system/firmware/ files that relate to manufacturer keys, they're encoded, but I don't know in what way. I did manage to open it in notepad, most things were unreadable, however, but I looked through what was anyways, and discovered references back to the radio.img. So I grabbed it out of the zv6 update, tried unpacking it, no dice, so on a hunch tried opening it as a zip, and got this...(see attachment) I believe we could find another exploit with the info in these files.

 

[HasH_BrowN]

Awesome work @modhatter6811!!!
Is that the diamond in the rough??

 

[modhatter6811]

Awesome work @modhatter6811!!!
Is that the diamond in the rough??

That's what I'm hoping for. I'm following bread crumbs and thinking it leads to the bakery. Cryptography is not my bag, but I'm not letting that slow me down. I'm going to try looking at some things with a hex editor. I bet there's some magic in there somewhere.

 

[HasH_BrowN]

Anybody have a bumped boot.img for zv5? I see the one for zv6, haven't found the other. I'm running windows, so bumping it myself isn't an option. Or is there a way to do it on Windows?
Codefire pulled their bump and the only one I know about is OpenBUMP. Major mud slinging, but that "can o' worms" can get opened another day.

 

[HasH_BrowN]

That's what I'm hoping for. I'm following bread crumbs and thinking it leads to the bakery. Cryptography is not my bag, but I'm not letting that slow me down. I'm going to try looking at some things with a hex editor. I bet there's some magic in there somewhere.

That would just make my head explode.

BTW, I (with help directing me in the right direction @WarrantyVoider and massive help with the script @scary alien) have completed the bootloop fix zip. Be posting in a minute. Never thought that getting 2 simple commands executed during a flash would prove to be so hard. A lot different than I thought it would be wrote.
Perserverance is champion!!

 

[WarrantyVoider]

So I grabbed it out of the zv6 update, tried unpacking it, no dice, so on a hunch tried opening it as a zip, and got this...(see attachment) I believe we could find another exploit with the info in these files.

radio.img is just a zip containing images to some partitions. I am not 100% sure, but I think:
emmc_appsboot.mbn => aboot (bootloader)
factory_ramdisk.img => factory (with minios3, seems to be the kernel/ramdisk used for the factory test within the hidden menu)
laf.img => laf (download mode)
NON-HLOS.bin => modem (a vfat volume mounted at /firmware; probably modem firmware)
rpm.mbn => rpm (ELF binary)
sdi.mbn => sdi
tz.mbn => tz (ELF binary; maybe used to write to Trusted Zone?)

It seems only NON-HLOS.bin is mounted after boot. The other ones are probably used for booting and device maintenance. When an update is being installed by the stock recovery, it seems radio.img is treated differently than the other parts like system files, boot.img, recovery.img, etc. Unfortunately, I don't know whether it's safe to manually write to any of these to the partitions.

 

[HasH_BrowN]

radio.img is just a zip containing images to some partitions. I am not 100% sure, but I think:
emmc_appsboot.mbn => aboot (bootloader)
factory_ramdisk.img => factory (with minios3, seems to be the kernel/ramdisk used for the factory test within the hidden menu)
laf.img => laf (download mode)
NON-HLOS.bin => modem (a vfat volume mounted at /firmware; probably modem firmware)
rpm.mbn => rpm (ELF binary)
sdi.mbn => sdi
tz.mbn => tz (ELF binary; maybe used to write to Trusted Zone?)

It seems only NON-HLOS.bin is mounted after boot. The other ones are probably used for booting and device maintenance. When an update is being installed by the stock recovery, it seems radio.img is treated differently than the other parts like system files, boot.img, recovery.img, etc. Unfortunately, I don't know whether it's safe to manually write to any of these to the partitions.

So its not a wise idea to cherry pick?

 

[modhatter6811]

radio.img is just a zip containing images to some partitions. I am not 100% sure, but I think:
emmc_appsboot.mbn => aboot (bootloader)
factory_ramdisk.img => factory (with minios3, seems to be the kernel/ramdisk used for the factory test within the hidden menu)
laf.img => laf (download mode)
NON-HLOS.bin => modem (a vfat volume mounted at /firmware; probably modem firmware)
rpm.mbn => rpm (ELF binary)
sdi.mbn => sdi
tz.mbn => tz (ELF binary; maybe used to write to Trusted Zone?)

It seems only NON-HLOS.bin is mounted after boot. The other ones are probably used for booting and device maintenance. When an update is being installed by the stock recovery, it seems radio.img is treated differently than the other parts like system files, boot.img, recovery.img, etc. Unfortunately, I don't know whether it's safe to manually write to any of these to the partitions.

This is exactly the kind of info I was looking for, specifically this part; "emmc_appsboot.mbn => aboot (bootloader)". This is definitely where I need to be looking if this is true. Thank you!

Edit; On second thought, tz.mbn is also worth checking out.

 

[modhatter6811]

From what I've learned the key is AES-256 bit and the kernel is set to verify the system against the manufacturer security key and fail secure boot in the event of a mismatch. Its possible to change this, and set a new key to be used, however it would still need to be placed into a wrapper that contained the original key in x509.pem. So, unfortunately this method is useless to us. I'm also starting to see reports on xda of the zv6 update for other lg phones making permanent changes to the boot loader. As in, locking down the bump exploit. I'm confident what ever they did can be reversed, and that the info to do it is in the zv6 update somewhere. We maybe able to create something that looks like an ota update to make changes to the bootloader is what I'm thinking. I'm just not sure how to go about it yet.